Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
Well,the bro0.9 binary after being stripped down,
without debugging symbols is now approximately
1.8 Mb(1839856).Does this have any significant
positive impact in terms of performance of bro?
Thanks.
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
Hi,
I want to find a tool to split the captured trace (using tcpdump tool) into two parts: the normal sub-trace and the abnormal one which compising of network attacks detected, can the Bro do ? If not, any suggestion is perferred.
Thanks a lot!
Yours,
He
I got a bro0.9 binary of 22Mb in Debian 3.1 PPC
with a straightforward ./configure make.At
first sight it seems a working binary.It
responds to bro -v and bro -h.I did not try
any further command.Below is the output
of the configure run.
checking build system type...
powerpc-unknown-linux-gnu
checking host system type... powerpc-unknown-linux-gnu
checking target system type...
powerpc-unknown-linux-gnu
checking for a BSD-compatible install...
/usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets ${MAKE}... yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler...
yes
checking whether gcc accepts -g... yes
checking dependency style of gcc... gcc3
checking for flex... flex
checking for flex... (cached) flex
checking for yywrap in -lfl... yes
checking lex output file root... lex.yy
checking whether yytext is a pointer... yes
checking for bison... bison -y
checking for g++... g++
checking whether we are using the GNU C++ compiler...
yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking for a BSD-compatible install...
/usr/bin/install -c
checking whether make sets ${MAKE}... (cached) yes
checking for gzip... gzip
checking for OPENSSL_add_all_algorithms_conf in
-lcrypto... yes
checking for SSL_new in -lssl... yes
checking whether OPENSSL_add_all_algorithms_conf is
declared... yes
checking for OpenSSL >= 0.9.7... yes
checking for perl5... no
checking for perl... /usr/bin/perl
checking for chown... /bin/chown
checking Linux kernel version... 2
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking return type of signal handlers... void
checking for sigset... yes
checking for int32_t using gcc... yes
checking for u_int32_t using gcc... yes
checking for u_int16_t using gcc... yes
checking for u_int8_t using gcc... yes
checking whether time.h and sys/time.h may both be
included... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for memory.h... (cached) yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking socket.h usability... no
checking socket.h presence... no
checking for socket.h... no
checking for netinet/ip6.h... yes
checking for socklen_t... yes
checking if syslog returns int... no
checking if we should declare socket and friends... no
checking for working memcmp... yes
checking for strftime... yes
checking for strerror... yes
checking for strsep... yes
checking for mallinfo... yes
checking for library containing inet_aton... none
required
checking for ns_initparse in -lresolv... no
checking for ns_initparse in resolver... yes
checking for tgetnum in -ltermcap... yes
checking readline/readline.h usability... yes
checking readline/readline.h presence... yes
checking for readline/readline.h... yes
checking whether byte ordering is bigendian... yes
checking for ns_msg... yes
checking for res_mkquery... no
checking for res_mkquery in -lresolv... yes
checking for union semun... no
checking for struct sembuf... yes
checking for struct sockaddr_in.sin_len... no
checking for long long... yes
checking size of long long... 8
Using shipped pcap
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating doc/Makefile
config.status: creating doc/ref-manual/Makefile
config.status: creating doc/quick-start/Makefile
config.status: creating doc/user-manual/Makefile
config.status: creating aux/adtrace/Makefile
config.status: creating aux/cf/Makefile
config.status: creating aux/hf/Makefile
config.status: creating aux/scripts/Makefile
config.status: creating aux/bdcat/Makefile
config.status: creating aux/rst/Makefile
config.status: creating aux/Makefile
config.status: creating policy/Makefile
config.status: creating policy/sigs/Makefile
config.status: creating scripts/Makefile
config.status: creating scripts/bro_config
config.status: creating scripts/bro.rc
config.status: creating scripts/localnetMAC.pl
config.status: creating scripts/s2b/Makefile
config.status: creating
scripts/s2b/bro-include/Makefile
config.status: creating
scripts/s2b/example_bro_files/Makefile
config.status: creating scripts/s2b/etc/Makefile
config.status: creating scripts/s2b/bin/Makefile
config.status: creating scripts/s2b/pm/Makefile
config.status: creating
scripts/s2b/snort_rules2.2//Makefile
config.status: creating config.h
config.status: executing default-1 commands
config.status: executing default commands
Using install prefix /usr/local/bro
Compiling Bro with OpenSSL support: Yes
Using perl /usr/bin/perl
Using non-blocking main loop: No
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
> 1. I see the introduction in bro overview: Bro targets high-speed
> (Gbps). I am surprised and doubt it.
These issues are discussed at length in the original Bro paper and also
H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, Operational
Experiences with High-Volume Network Intrusion Detection, Proc.
ACM CCS, October 2004.
available at http://www.bro-ids.org/publications.html.
> 2. I konw bro supports to define signature in regular expression.I
> want to konw how does bro support
> regular expressions: by perl or do it yourself.
It has its own implementation, which is essentially the same as the one
used by the "flex" utility (freeware replacement for lex, which I wrote a
long time ago).
> 3. Is there realtime alarm function in bro?
Yes. This is a basic question that is also answered in the Bro paper,
as well as in the documentation available from bro-ids.org.
Vern
hello :
firstly, I am sorry for my english :) .
I have some questions on bro:
1. I see the introduction in bro overview: Bro targets high-speed
(Gbps). I am surprised and doubt it.
bro captures packets through libpcap and BPF filter,but libpcap
isn't high performance.
that's the reason why zero copying and DMA tech are used in IDS field.
bro analyses events by policy scripts.there is a problem that
script's performance is lower than binary
programs.I didn't test bro's performance , maybe I am wrong.
2. I konw bro supports to define signature in regular expression.I
want to konw how does bro support
regular expressions: by perl or do it yourself.
3. Is there realtime alarm function in bro? I sometimes want to
see the current network status on
screen,instead of viewing bro's report file.
many many thinks
> This is not the first time that this has come up, but generic looping
> has been discouraged in general for performance reasons.
Now not so much for performance reasons (though that was the original
reason) but to push on users to think about using other language constructs
that achieve the same results using more abstracted data structures.
The notion is that often there's a way to express what you want to
do using sets, tables, or events.
Vern
> I'm glad to here that new version is out, but
> can someone add this to the cvs-repository?
This wasn't added because it's not in fact the correct fix but just
a workaround. There's logic in Bro's signal handling intended to avoid
the reentrancy problem in the first place. Could you please reproduce
the problem with 0.9a10 and send me (off-list) a full traceback so I can
try to see where that logic is failing?
> Do you plan to make cvs-repository available for anyone
> (read-only of course ;-)?
Probably not any time soon, unless folks want to argue that it would
really be helpful.
> Or at least do you plan to
> make something like hot-fix-patches for last released version?
It seems it's indeed time to start doing this. Related to this, I'm making
0.9a10 the basis for a continuing bug-fix-only 0.9 branch. For development,
we've switched internally to 1.0 (which already has a lot of changes -
stay tuned).
Vern